Skip to content
This repository has been archived by the owner on Jun 9, 2024. It is now read-only.

Commit

Permalink
Merge pull request from GHSA-8459-6rc9-8vf8
Browse files Browse the repository at this point in the history
NETDEV-4268: Fix octorpki path traversal vulnerability
  • Loading branch information
dhaynespls authored Feb 14, 2022
2 parents f5aeb07 + eb9cc4d commit 4e5c4f1
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
6 changes: 4 additions & 2 deletions cmd/octorpki/octorpki.go
Original file line number Diff line number Diff line change
Expand Up @@ -316,8 +316,10 @@ func (s *state) WriteRsyncFileOnDisk(path string, data []byte, withdraw bool) er
if err != nil {
log.Fatal(err)
}
// GHSA-cqh2-vc2f-q4fh: Prevent parent directory writes outside of Basepath
fPath = strings.ReplaceAll(fPath, "../", "")
// GHSA-8459-6rc9-8vf8: Prevent parent directory writes outside of Basepath
if strings.Contains(fPath, "../") || strings.Contains(fPath, "..\\") {
return fmt.Errorf("Path %q contains illegal path element", fPath)
}

f, err := os.Create(filepath.Join(s.Basepath, fPath))
if err != nil {
Expand Down
15 changes: 10 additions & 5 deletions validator/pki/pki.go
Original file line number Diff line number Diff line change
Expand Up @@ -596,7 +596,10 @@ func (v *Validator) ValidateROA(roa *librpki.RPKIROA) error {
}

func (v *Validator) AddManifest(pkifile *PKIFile, mft *librpki.RPKIManifest) (bool, []*PKIFile, *Resource, error) {
pathCert := ExtractPathManifest(mft)
pathCert, err := ExtractPathManifest(mft)
if err != nil {
return false, nil, nil, fmt.Errorf("ExtractPathManifest failed: %v", err)
}

valid, _, res, err := v.AddCert(mft.Certificate, false)
if res == nil {
Expand Down Expand Up @@ -751,22 +754,24 @@ func ExtractPathCert(cert *librpki.RPKICertificate) []*PKIFile {
}

// Returns the list of files from the Manifest
func ExtractPathManifest(mft *librpki.RPKIManifest) []*PKIFile {
func ExtractPathManifest(mft *librpki.RPKIManifest) ([]*PKIFile, error) {
fileList := make([]*PKIFile, 0)
for _, file := range mft.Content.FileList {
curFile := file.Name
path := string(curFile)
// GHSA-cqh2-vc2f-q4fh: Prevent file path references to parent
// GHSA-8459-6rc9-8vf8: Prevent file path references to parent
// directories.
path = strings.ReplaceAll(path, "../", "")
if strings.Contains(path, "../") || strings.Contains(path, "..\\") {
return nil, fmt.Errorf("Path %q contains illegal path element", path)
}
item := PKIFile{
Type: DetermineType(path),
Path: path,
ManifestHash: file.GetHash(),
}
fileList = append(fileList, &item)
}
return fileList
return fileList, nil
}

func (sm *SimpleManager) AddInitial(fileList []*PKIFile) {
Expand Down

0 comments on commit 4e5c4f1

Please sign in to comment.